Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
2.5 Domain 2 · Threats, Vulnerabilities & Mitigations

Mitigation Techniques & Hardening

Explain the mitigations that secure the enterprise — segmentation, access control, allow-listing, patching, monitoring, least privilege, and hardening.

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

A mitigation reduces the likelihood or impact of a threat. Security+ splits this objective into two pillars: mitigation techniques (what you do across the enterprise — segmentation, access control, allow-listing, isolation, patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning) and hardening techniques (what you apply to the endpoint — endpoint protection, host firewall, HIPS, disable ports/protocols, change default passwords, remove unnecessary software).

The exam asks you to match threat to mitigation. Lateral movement → segmentation. Commodity malware → EDR plus patching. Credential theft → MFA plus monitoring. Ransomware → offline backups plus least privilege plus allow-listing. Supply chain → vendor assessment plus SBOM. Zero-day → defense-in-depth, because signatures cannot catch what is not yet cataloged.

Segmentation. Break the network into zones — VLANs, security groups, microsegmentation — so an attacker who breaches one zone cannot freely pivot. Common zones: PCI, OT/ICS, guest, corporate, DMZ. Segmentation is the single most effective control against lateral movement, which is how ransomware and APT operators turn an initial foothold into enterprise-wide compromise.

Access control. ACLs (rule-based filtering on routers, firewalls, and file systems) and permissions (least-privilege at the object level via RBAC or ABAC). Access control answers the question: who can reach what, and at what level?

Application allow list. Default-deny: only approved executables run. More effective than blocklists because it catches unknown malware — the code has to be on the allow list to execute at all. Allow-listing is the single best mitigation for zero-day malware and one of the most-tested mitigations on the exam.

Isolation. Sandboxing (browsers, unknown attachments, suspicious files) and air-gapping (critical systems with no network connection). Isolation is stronger than segmentation — no communication at all, not just filtered communication.

Patching. Timely deployment of vendor security updates, tiered by criticality. The exam treats patching as the default answer for known CVEs. Patch cadence beats perfection — monthly for most, emergency for actively exploited.

Encryption. Data at rest, in transit, and in use. Encryption reduces the impact of exfiltration and theft — if the attacker takes the data but cannot read it, the breach is contained. Pair with key management; encryption is only as strong as the key lifecycle.

Monitoring. Continuous log and telemetry collection with alerting — SIEM, EDR/XDR, UEBA. You cannot respond to what you cannot see. Monitoring is both a mitigation (early detection shrinks dwell time) and a compliance requirement.

Least privilege. Users and services receive only the permissions needed to do the job — no more. Applies to humans, service accounts, API tokens, cloud IAM roles. Key tests include Just-in-Time (JIT) elevation and removing standing admin rights.

Configuration enforcement. Use baselines, CIS benchmarks, GPOs, Desired State Configuration, Ansible, or IaC to prevent drift. Systems start hardened and stay hardened. Drift is the enemy.

Decommissioning. Secure retirement of assets — data wipe, certificate revocation, account disable, license return, hardware destruction or reuse. The common failure mode is that assets are “removed from service” but not fully de-integrated — credentials, certificates, and logs linger.

Hardening techniques. Encryption at every supporting layer (disk, DB, channel). Endpoint protection (EDR, antivirus, HIDS) on every endpoint. Host-based firewall to restrict inbound/outbound at the host even when a perimeter exists. HIPS (host-based intrusion prevention) to block malicious in-host behavior. Disable ports and protocols (SMBv1, Telnet, LLMNR, NetBIOS — any unused service). Default password changes enforced on provisioning and audited. Remove unnecessary software (bloatware, unused utilities) to shrink the attack surface.

ThreatPrimary MitigationsWhy
Lateral movement (ransomware, APT)Segmentation, microsegmentation, least privilegeContain blast radius once a foothold exists
Commodity malwareEDR + patching + allow-listingSignature detection + surface reduction + default-deny
Zero-day exploitationDefense-in-depth — allow list, segmentation, behavioral EDR, least privilegeSignatures cannot catch the unknown
Credential theft / phishingMFA, conditional access, monitoring, least privilegeRaise cost of stolen-password reuse
RansomwareOffline backups, segmentation, least privilege, allow list, EDRLimit spread, guarantee recovery
Supply chain (software provider)Vendor assessment, SBOM, update integrity verification, monitoringTrust-but-verify the consumed code
Known CVEPatching (tiered by criticality)Vendor fix already exists
Data exfiltrationEncryption (at rest, in transit), DLP, monitoring, segmentationReduce impact + detect + contain
Insider (malicious)Monitoring, least privilege, separation of duties, DLPBehavior-based detection of trusted users
Legacy / EOL systemsIsolation, compensating controls, migration planCannot patch, so reduce exposure
Endpoint compromiseEndpoint protection (EDR), host firewall, HIPS, patchingHardening at the device level
Default-credential exploitationChange default passwords, configuration enforcementBoth a hardening step and a mitigation
Key Takeaway

Segmentation limits blast radius; isolation eliminates communication entirely. When the question mentions “contain lateral movement between zones that must still talk to each other,” the answer is segmentation. When the question says “no network connectivity at all,” it is isolation or air-gap.

A regional healthcare provider has just recovered from a ransomware incident. The attackers used a novel loader that bypassed the existing AV product for 11 days before detection. The CISO is asking what control would have blocked the initial execution. The Security Architect and the CISO debate allow-listing versus AV.

Scenario
Post-Ransomware Control Review
Regional healthcare · novel loader · 11-day AV blind spot
CISO“We need to upgrade the AV. The current product missed the loader for 11 days. Let’s move to a top-tier EDR with a larger signature feed and ML.”
Security Architect“Better AV helps, but it is still a blocklist — it blocks what it knows is bad. A brand-new loader is unknown by definition. The control that would have stopped this initial execution is application allow-listing — default-deny, only approved executables run. The loader was not approved, so it would not have run, regardless of whether anyone had ever seen it before.”
CISO“Allow-listing has a reputation for operational pain. Are we really ready for that?”
Security Architect“Start with the crown-jewel zones: clinical workstations with access to EHR and imaging servers. Pair allow-listing with EDR (behavioral detection on what does run) and segmentation (limit blast radius if something slips through). The combination is what turns a novel loader from a breach into a blocked process event.”
Compensating Action

Layer allow-listing onto EDR, not instead of it. Allow-listing stops the execution; EDR catches what runs and maps behaviors. Add segmentation so that even a successful execution is contained, and offline backups so that recovery is possible without paying. Four controls compound; any one alone is a single point of failure.

Real Talk — Career Context

Allow-listing is operationally expensive up front. You have to inventory what legitimately runs, build exception workflows, and support the help desk through the rollout. But once it is in place, it is one of the highest-ROI controls in the catalog. The exam’s framing of “most effective against unknown malware” is pointing you to allow-listing; the real-world framing is “hardest to run, but the one that catches zero-days.”

On the exam: if the question says “unknown malware,” “novel malware,” or “zero-day executable,” the answer is application allow list. If it says “known malware” or “commodity,” it is AV or EDR signatures.

A manufacturer’s flat Class-B corporate network was hit by a worm that spread from a single infected laptop to 1,400 hosts in under four hours, crippling production. Patch levels were already 98% on monthly CVEs. Leadership asks: what is the single highest-ROI mitigation to prevent a repeat of this blast radius?

Option A
Aggressive patch program (same-day zero-day patching)

Move from monthly to same-day patch cadence for all critical CVEs. Invest in emergency deployment tooling so no host is more than 24 hours behind a critical fix.

Option B
Network segmentation + microsegmentation

Break the flat network into zones (corporate, OT, DMZ, user) with firewalled boundaries, and add microsegmentation within zones so hosts cannot freely talk peer-to-peer.

Option B is the stronger fit for blast-radius containment — segmentation

Option B: The specific failure was lateral movement — 1 host to 1,400 in hours. Segmentation is the control designed for that failure. On a flat Class-B network, every compromised host can reach every other host. Break that with zones and microsegmentation, and the worm is trapped in the zone where it entered. This does not prevent initial compromise, but it drops the blast radius from “enterprise” to “segment.”

Option A’s kernel of truth: faster patching is always good and would have helped if the specific exploit had a patch available. But the scenario already says patch levels were 98% on monthly CVEs, and worms frequently use techniques that patching alone does not address (credential reuse, misconfigured shares, new exploits). Segmentation catches the failure mode that patching missed.

On the exam: “blast radius,” “lateral movement,” and “flat network” all point at segmentation. “Known CVE not yet applied” points at patching.

Allow list vs. antivirus framed as the same thing
AV is blocklist — it blocks what it knows is bad. Allow-listing is default-deny — only known-good runs. Allow-listing catches unknown malware; AV does not. When the exam says “novel” or “unknown” or “zero-day executable,” pick allow list.
Why it is tempting: both are “prevent-malware” controls, so they feel interchangeable.
Hardening vs. patching confused
Patching fixes known flaws in software. Hardening reduces configurable attack surface (disable unused services, change defaults, remove bloat). A fully-patched system can still be badly hardened; a fully-hardened system still needs patches. The exam tests the distinction: if the question is about closing a configurable weakness, it is hardening.
Why it is tempting: both “make the system more secure,” so the line blurs.
Segmentation vs. isolation treated as synonyms
Segmentation = separated zones that still communicate via controlled paths. Isolation = no communication at all (air-gap, sandbox). They sit on the same spectrum but are not the same. The exam asks “which prevents any network traffic” (isolation) vs. “which limits lateral movement between zones that must still talk” (segmentation).
Why it is tempting: both involve “separating things.”
Default passwords overlooked as a mitigation
“Change default passwords” is both a hardening step and a direct mitigation for the default-credentials vector. Easy to dismiss as trivial — but Mirai-class botnets and countless breaches start here. If a question lists multiple controls and one is “change default credentials,” do not skip past it.
Why it is tempting: it sounds too basic to be the right answer.
Decommissioning framed as “turn it off”
Real decommissioning is broader: data wipe, certificate revocation, account disable, key rotation, license return, hardware destruction or secure reuse, removal from inventory and monitoring. Assets that were “shut down” but not fully de-integrated are a common source of ghost credentials and orphaned certificates. The exam expects the full workflow.
Why it is tempting: “decommission” sounds like power-off.
Exam Signal

Mitigation questions describe a threat and ask for the best control. Read for: (1) the failure mode the scenario is asking you to prevent (lateral movement, unknown malware execution, credential reuse, data exfiltration, default-credential abuse), and (2) whether the threat is known (patch, AV) or unknown (allow list, behavioral EDR, defense-in-depth). Pick the mitigation that directly addresses the described failure mode.

Quick Check — 2.5 Q1
A security team wants to prevent unknown malware from ever executing on a fleet of highly sensitive workstations, even if signature-based tools have never seen the sample. Which mitigation is the BEST fit?
  • A Traditional antivirus with daily signature updates
  • B Application allow list (default-deny execution)
  • C Host-based firewall
  • D Full-disk encryption

Correct: B. Default-deny execution only runs approved binaries. Unknown malware has no entry on the allow list and therefore cannot run, regardless of whether any signature exists.

A wrong: Signature-based AV blocks known malware; it cannot block samples it has never seen.

C wrong: Host firewalls restrict network flows, not local executable launches.

D wrong: Full-disk encryption protects data at rest against device theft; it does not gate execution.

Source: CompTIA SY0-701 Objectives v5.0 — 2.5 Mitigation Techniques

Quick Check — 2.5 Q2
A flat corporate network saw a worm spread from a single workstation to most endpoints within hours during a recent incident. Which mitigation directly addresses the blast radius of future lateral movement?
  • A Network segmentation and microsegmentation
  • B Full-disk encryption on all endpoints
  • C Multi-factor authentication on SSO
  • D Certificate-based authentication for email

Correct: A. Segmentation (with microsegmentation inside zones) limits how far a compromised host can reach, directly constraining lateral movement — the specific failure mode described.

B wrong: Disk encryption protects data at rest against theft, not runtime worm propagation.

C wrong: MFA protects authentication paths; a network worm exploiting SMB does not need interactive sign-in.

D wrong: Email certificate auth addresses identity in messaging, not network-layer spread.

Source: CompTIA SY0-701 Objectives v5.0 — 2.5 Mitigation Techniques

Quick Check — 2.5 Q3
A hardening review finds that a production Windows Server still has SMBv1, Telnet, and LLMNR enabled despite none being used. Which hardening action directly addresses this finding?
  • A Install full-disk encryption
  • B Disable unused ports and protocols
  • C Rotate the local administrator password
  • D Deploy host-based IDS signatures

Correct: B. Disabling unused ports and protocols is a core hardening step — it reduces attack surface, and it directly addresses the SMBv1/Telnet/LLMNR exposures described.

A wrong: Disk encryption does not remove exposed services.

C wrong: Rotating passwords is a good hygiene step but does not address the protocol-exposure finding.

D wrong: HIDS signatures detect activity; they do not remove unneeded services from the attack surface.

Source: CompTIA SY0-701 Objectives v5.0 — 2.5 Mitigation Techniques

Related Topics
→ 2.2 Threat Vectors & Attack Surface→ 2.3 Types of Vulnerabilities→ 2.4 Indicators of Malicious Activity
← 2.4 Malicious Indicators ← All Objectives Domain 2 Hub →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on the published CompTIA SY0-701 Exam Objectives (v5.0). Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.